By Brian Bokoske –
I must confess that I find it hard to go a day without checking out a new device or gadget I can play around with and learn more about. Because of this, I spend an unjustifiable amount of time on Kickstarter. A little less than a year ago I discovered a campaign on the site for a product called the “Chameleon.” The Chameleon is a device that can be used to emulate, test, and manipulate NFC chips and readers. To give some context to my interest in this project, I bring up my vacation in Boston, Massachusetts that occurred around the same time as the launch. During my time in Boston I frequently utilized the subway system known as “The T”. The gates to enter the subway verify payment using either paper tickets with magnetic strips or plastic contactless cards. The paper tickets are often discarded do to their flimsiness while the plastic cards are durable and refillable. After doing a quick google search for how the contactless subway cards work, I found that every single plastic card was using NFC. Given my new interest and its relevance to my daily subway trips, I decided to put down €99 for a Chameleon device. After a year’s wait due to manufacturing delays, I finally have my Chameleon in hand and I am happy to share my experiences with you.
Going into my experiments with the Chameleon, I really didn’t have much background in NFC. My only experiences had been playing around with little NFC stickers to do things like change certain settings on my phone. Due to my lack of experience, I came up with some very simple theories about what I could accomplish with Chameleon. These theories are based on attack scenarios I came up with after reading claims made about the Chameleon on Kickstarter. My thoughts were as follows:
- The Chameleon’s creators boast about the device’s ability to emulate some of the most popular NFC cards on the market. The Chameleon can accomplish this with nothing more than a dump file from the victim card. Dump files create a situation where cloning a card is possible without even having the card in front of you.
- The Chameleon project says the device is able to be controlled via Python Scripts. I might be able to execute a brute force attack on an NFC authentication system by randomly generating ID numbers and emulating those numbers on the Chameleon.
- Most modern smartphones have the hardware to leverage the NFC standard. It could be possible to read someone’s NFC card using my phone and then use that information to create a clone of the card on the Chameleon. A combination of social engineering and the Chameleon device would work here.
I turned these thoughts into tasks for me to complete during my experimentation with the Chameleon. Testing some of these situations could have been legally problematic so I had to find a way to reproduce a test environment myself to make sure I was not breaking any laws. In order to complete these tests at home, all I had to do was download a screen lock app on my NFC capable Samsung Galaxy S6 Active that authenticates using the data on any assigned NFC chip.
Since my interest in NFC technology started with my trips on the Boston subway, I figured this would be where I began my research. My first step was to reach out to the Chameleon project creators and ask if they have done any research related to my interests in the Subway and Chameleon. Dr. David Oswald was kind enough to reach out to me with a response. He explained to me that as late as 2012, research was showing that the subway in Boston was using the Mifare Ultralight standard of NFC cards for their ticketing system. Mifare is a company that manufactures NFC cards for use around the world in all kinds of applications. The card models differ in memory size, usable commands, and the use (or not) of different types of security keys. The security keys come in AES, 3DES, and proprietary variants depending on the card. The use of Mifare Ultralight cards in the Boston subway is extremely problematic because it does not contain any sort of security key exchange. In fact, the card is essentially just 512 bits of NFC readable memory. Due to the lack of security protocol on these cards, the contents of the memory can easily be cloned or manipulated. Although I couldn’t find information on whether or not the Boston subway still uses the Mifare Ultralight cards, I’m sure the cards are still in use in other places. As a result of Mifare Ultralight implementation being cheap and simple, the cards are widespread in everything from public transit ticket systems to employee identification systems. Due to there being no security built into Mifare Ultralight, all of the systems with it implemented are vulnerable to attacks from a device like the Chameleon. Even someone who knows very little about the physical data exchange and science behind NFC technology can carry out these attacks. The ease of attack is why the systems that use Mifare Ultralight are so vulnerable and problematic.
The first real step to proving my initial hypothesis point was to obtain a dump file for a Mifare Ultralight card. Luckily, I found a dump file on the Chameleon GitHub. A Mifare Ultralight dump is a hexadecimal file containing 64 pairs. This is a representation of how the data is stored on the card’s memory. Many NFC devices and readers also use this hex interpretation when reading the data from cards. I uploaded the file to the Chameleon and checked that the data I read from the file on my computer was actually on the Chameleon. I accomplished this using a simple NFC reader app on my phone. This upload worked perfectly and my theory was confirmed. This is problematic because if one person obtains a dump file for a card that permits access to something like an office building, anyone can upload it to a Chameleon device and gain access to that building. This is no longer just a danger to finances or data but a danger to people as well.
In order to test my second hypothesis, I had to learn how to interact with the Chameleon device using python. Since the chameleon has drivers and communicates over a serial port, writing a script to control it was fairly straightforward. The purpose of my script was to brute force the NFC lock screen app on my Samsung Galaxy S6 Active. The app has no device lock after a certain amount of incorrect attempts so there was no need to take that into account. My script ran through all the possible combinations of letters and numbers that can be used in the UID of a Mifare Ultralight card from my batch. Due to my test cards being purchased at the same time from the same place, the specific UID constraints of my test batch might not be the same as a different batch of cards. The UID of an Ultralight card is 14 characters long and can contain both capital letters and numbers. However, only 4 of those characters changed throughout my batch of cards. Within those 4 characters, only two of them could be letters OR numbers. The other 2 changing characters were numbers only. This means there were approximately 129,600 different UIDs I had to guess in order to unlock my phone. My NFC app was only fast enough to process a different UID every 2 seconds which means if the UID to unlock my phone was the last one to be guessed, it would take about 72 hours to guess it. I was very fortunate that my script unlocked the phone after about 31 hours instead of the full 72 hours. The chameleon can successfully be used to emulate a massive amount of cards with a simple script so that it can be used to brute force an NFC authentication system.
My third and final theory was that I can use some social engineering to gain physical access to someone’s NFC card, inconspicuously get the UID with a simple smartphone app, and emulate that card on the chameleon device. To do this, I first had to find a friend who used NFC cards and wasn’t going to turn me in for stealing their card information. This became easy when an old friend from high school invited me to visit him at Northeastern University. Many of the dorms at Northeastern use NFC locks on their doors. When he was giving me a tour of his dorm building I managed to convince him to let me unlock his door for him because “the locks at my college were old and boring” and his lock was “techie and cool.” He laughed and handed me the card. All I had to do was touch the card to my phone in my hand while an NFC tag info app was open. I then used the card on his door and handed it back to him. Later that day I opened the app back up on my phone and the UID of his key card was visible on the screen. I set the UID of the Chameleon to what I read on the screen. I asked my friend if I could show him something and sure enough the Chameleon unlocked his door. He was a little worried about how I essentially broke into his dorm room so I had to explain myself to him over the next few minutes. This method of attack was extremely effective because there was no need to have the bare circuit, suspicious looking Chameleon out when obtaining the UID of a card. No one suspects you are doing something malicious by simply having your phone in your hand.
For anyone looking for more detailed information or guidance in reproducing my results, here you can find some screenshots and descriptions of my actions during testing. I’ll go through my tests in numbered order the exact way they are laid out in the hypothesis section.
- The lock app I downloaded can be found on the android app store. It walks you through setup and is very simple to use. Below you can find a screenshot of the app’s listing:
The dump I downloaded was found on the Chameleon Mini GitHub. You can visit the dump directory of the GitHub at: https://github.com/emsec/ChameleonMini/tree/master/Dumps
In order to upload a dump file to the Chameleon, you need to interface with the device via serial. This can be done with a program such as TerraTerm or Putty. I used TerraTerm because many of the instructions on the Chameleon Mini GitHub are written for use with TerraTerm. Once you open TerraTerm and select the correct COM port the Chameleon, typing help will bring up a list of commands. Many of these are straight forward but further explanation can be found on the ChameleonMini GitHub page at:
To upload the dump file you have to first select one of six slots available on the Chameleon. To do this you type “setting=1”. After setting the slot, you have to set the type of card you are emulating. In the case of my test, the type of card is Mifare Classic. You can set this by typing “config=MF_ULTRALIGHT”. Once the slot is configured all you have to do is type “upload” and the Chameleon will wait for an XMODEM connection with a file in it. To upload in TerraTerm click “file, transfer, XMODEM, Send…” and it will prompt you for the file you are going to upload (see below). This is the last step in uploading the dump file. You can verify the dump was uploaded properly by typing “uid?” into TerraTerm. This UID should match the information visible when opening the .mfd (the dump file) in a hex editor. I use HxD (see below) but it really doesn’t matter. You just have to make sure the uid currently being emulated by the Chameleon is present in the hex data contained in the .mfd file.
- For Python Control of the Chameleon you don’t need to directly control the Chameleon at all. As long as you know the COM port the Chameleon is using you can run the script I wrote to brute force NFC authentication. It may have to be modified depending on the type of card you are emulating and the slot you want to use but all of that is explained in the Python code. Additionally, more or less random generation loops will have to be added depending on what parts of the UID remain constant. My Python script can be found at:
- The technical details of the social engineering experiment are very similar to the first test. You have to configure the Chameleon’s slot and card type as explained in number 1. You can use any NFC app that displays UID. Then in TerraTerm (or your serial terminal application of choice) type “uid=[whatever your phone app says]”. This will set the UID of the current slot on the Chameleon. After the UID is set it’s just a matter of touching the Chameleon to the lock.
Working with NFC was both challenging and interesting. With the help of the Chameleon, my eyes were opened to how many vulnerabilities there can be within a single implementation of NFC. Just one device opens many doors that can be used to attack an NFC system. While the Chameleon is not the first device of its kind, it is the most user friendly and easy to learn. With a couple weeks of research I learned how to effectively use the Chameleon to compromise many of the NFC systems in place today. NFC manufacturers and implementers need to take NFC emulation devices like the Chameleon into account when designing their systems. NFC’s use in systems across America is growing every day. If new NFC systems continue to ignore the existence of emulation devices in order to pursue something like financial gain, I fear attacks like those I have tested will become unacceptably common.